ICC Home
Scroll left
Scroll right
What is ICC?
How ICC works
Membership
ICC worldwide
Media
Contact us
ICC makes policy in:
Anti-Corruption
Arbitration
Banking Technique & Practice
Commercial Law & Practice
Competition
Corporate Responsibility & Anti-corruption
Customs & Trade Regulations
Digital Economy
Economic Policy
Environment & Energy
Financial Services & Insurance
Intellectual Property
Marketing & Advertising
Taxation
Trade & Investment Policy
Transport & Logistics
ICC brochures and reports
Policy statements
Codes, rules & model contracts
Job opportunities
Useful links
Disclaimers
About ICC News Archives Bookstore CCS Search Home site
Bookmark and Share
Loading...


Conference report

Alliance against commercial cybercrime
7 December 1999, London

The International Chamber of Commerce's (ICC's) one day conference "The alliance against commercial cybercrime" took place on 7 December 1999. Given the phenomenal growth of the Internet and the almost equally rapid development of e-commerce, it was a timely event. As one speaker after another confirmed, cybercrime is a growing problem to governments, companies and individuals. It is already casting a large shadow over an otherwise remarkably positive development: the shrinking of distance and elimination of borders brought about by the Internet. The complexity of cybercrime and the difficulties encountered by authorities in finding those responsible looks set to be one of the more vexing criminal - and commercial - problems of the new millennium.

The opening session, chaired by ICC Secretary General Maria Livanos Cattaui, looked at how to counter the threat of commercial cybercrime. Ms Cattaui noted that such crime is both a business and law enforcement issue. She suggested that companies and the police face major problems of resources and expertise, whilst successful prosecution is often complicated by questions of jurisdiction: cybercrime knows no borders.

David Veness, assistant commissioner, specialist operations for the Metropolitan Police, Scotland Yard, UK, emphasised that the global communications network has been a remarkable development but noted that crimes against it "represent a remarkable challenge to the law enforcement community". The key features of this challenge are:
1. To recognise the problem and understand it;
2. To define the problem properly: definitions are needed to categorise threats and differentiate those relevant to national security and law enforcement agencies;
3. To resolve the problem of law enforcement response and police priorities.

Traditionally, the focus of law enforcement has been local, on the resident as a victim of burglary or robbery. The challenge now is to internationalise policing and criminal justice systems. Tackling existing international crime has proven to be very problematic: dealing with more complex cybercrimes will therefore pose even more of a problem.

Mr Veness underlined the fact that cybercrime can take many forms, all familiar outside the net: blackmail, pornography/paedophilia, investment frauds, terrorism/political extremism, economic and industrial sabotage and subversion.

The secret of a successful investigative response is partnership between the public and private sector. Mr Veness noted that victims of cybercrime are part of the solution and must overcome any sensitivity about "being the victim" and keep investigative officials fully informed. For their part, officials need to improve their knowledge - of encryption and how to trace cybercriminals - through ongoing programs to reduce crime.

Raymond Kendall, Secretary General of Interpol, noted figures suggesting the sale of goods over the net are increasing at a phenomenal rate; he also admitted the growth of cybercrime that has accompanied this e-commerce has caught almost everybody unprepared. One of the biggest constraints is national sovereignty. International conventions to fight crime are notoriously slow in being ratified: the 1988 UN Convention on Trafficking in drugs, which includes money laundering clauses, was only ratified by France six years later, whilst many countries still do not have legislation to fight money launderers.

"We have been responding to international problems with national responses", he said, noting that even the European Union does not have a common judicial space. He also emphasized that "we still don't have a clear definition of organized crime, money laundering or cybercrime".

Mr Kendall said that Interpol was prioritizing the employment of technicians, but in so doing it was competing with the private sector and had to pay the going market price - which is high. The only way law enforcement bodies can do this is in conjunction with the private sector.

"We need political will. It is there - there is an understanding of the problems - but this must be translated into action. The problem is the international community is not good at this". However, Mr Kendall suggested there is now a new willingness to act.

Michael Vatis, director of the National Infrastructure Protection Center at the FBI, Washington DC, called for different layers of partnership between the government and private sector, between different government agencies and between countries, to deal with problems collectively. The aim must be to prevent cybercrime and not just detect it. The key to this is sharing information, especially that from the private sector, with what is gathered being put into the FBI database. Mr Vatis agreed with Mr Kendall that the public and private sector have to work together, with business providing its cutting edge knowledge.

Different public agencies should also share information - when a hacking crime is first detected, it is never clear precisely what crime is being committed. And multinational partnership is essential: hackers know no boundaries and will loop through ISPs (Internet service providers) in several countries before getting to their victim. Therefore, as much international support and contacts as possible is vital, although building these takes time and can be complicated by differing national approaches to cybercrime - as opposed to normal law enforcement matters. Mr Vatis concluded by calling for "proactive, pre-emptive prevention".

Brian Jenkins, a special advisor to ICC and a respected international authority on cybercrime, pointing to credit cards, cellphones and now the Internet, noted that "criminal innovation always accompanies technological advances, creating the need for new or revised criminal statutes and a new need for enforcement." However he stressed that, in turn new legislation always lags behind criminal innovation: "the first round always goes to the criminal." He said it often requires a "catastrophe" to push authorities to deal with a problem, but at the same time the private sector has the responsibility to prevent crime developing.

Mr Jenkins stressed that increasing competition has led to an explosion in all forms of economic espionage, and that even he - as a freelance business consultant - had been asked "seven or eight" times for inside information on other companies. In terms of cybercrime, deliberate spreading of viruses and other forms of electronic sabotage have a high nuisance level; more will be at stake at e-commerce continues to grow. The worst type of electronic break-in is that which leads to cyberwar where the financial and control systems of a company are attacked, although "fortunately we haven't seen too much of this".

So how extensive is cybercrime? Mr Jenkins says it is "pervasive and growing, but so is the Internet: so which is growing faster?" He estimated cybercrime is lagging net growth by some 7% but some scams - such as financial service hoaxes - were growing faster. Cybercrime is also becoming increasingly sophisticated, moving away from the preserve of precocious adolescents as diffusion of technology has advanced.

The future? Jenkins suggested the Internet was a "turbulent frontier" which could be bought under control if an effective legal regime was devised. The worst case scenario was the "Medellin scenario" with the net "swamped by organized crime".

Steve Forest, detective inspector for the fraud squad of the West Midlands Police force, Birmingham, UK, emphasized crime-fighters' lack of resources. This has become especially acute in performance-driven cultures such as the UK where tracking down crimes, originating, say, in Brazil is often not deemed to be cost-effective. Police forces in the UK and elsewhere are highly localized, yet are increasingly having to deal with global crimes. For most people in the west Midlands - and elsewhere - local crime issues very much take precedence over net crime. There are other problems of prosecution, says Forest. "Many judges cannot operate an arch level file, so trying to explain Internet crime to them is very difficult".

The panel was asked about conflicts of interest in information sharing. Mr Vatis stressed that the most useful shared information was that relating to prevention: details about viruses, for example, and how to trace and deal with them. He stressed that the FBI receive information from companies on a highly confidential basis and goes out of its way to reassure that it rarely needs information on companies internal system to investigate a crime. He said the key was to create islands of trust and "a general awareness of the problem so people begin to think about it". Mr Vaness said he was encouraged by the fact that although companies do not like details about their being victims of cybercrime to get into the public domain, there are encouraging signs: the financial services sector, for example, has faced threats "with a commonality of response".

The second session looked at the types of crime and methods used by cyber-criminals. Geoff Donson, detective constable at the Computer Crime Squad, New Scotland Yard, UK, noted that under existing legislation in the UK it is not possible to arrest a person for illegal access to a computer and that once a prosecution has been made, the maximum penalty is six months. With such inadequate legal penalties, international cooperation - vital though this is - is a secondary concern. He suspects cybercrime is under-reported in the financial/banking sector.

Jim Oakes, vice president of Citibank's Investigative Services Unit, UK, detailed one of the best known cybercrimes to date: the siphoning off of Citibank funds from Latin America by Vladimir Levin, a hacker based in Russia, in 1994. Citibank recovered all but $400,000 of the $10 million stolen and apprehended those responsible, but Oakes admitted that detection was complex and very costly. He said the biggest problem is password security; cyber-criminals often corrupt disgruntled employees to access systems, and the speed of the net is such that money can be on the other side of the world before its loss is detected. Mr Oakes said Citibank employed people to try to hack into the bank's system so it could identify gaps in security.

Alan Wilson, head of training and external affairs at the London Stock Exchange, suggested the most serious cybercrimes he had come across involved market manipulation, with hackers logging onto companies' legitimate web-sites, down-loading and then altering the information, before putting it back onto the web. Word of mouth then draws attention to the fake web-site, impacting on the company's share price - usually negatively, if the hackers are selling stock short. Such techniques can be commercially very damaging over the long-term as it is hard to recover from bad news - even fake bad news.

Terry Lenzner, chairman of Investigative Group International, US, suggested major ISP companies such as AOL should get together to form a regulatory environment agreeable to them all; he also said there was a need to further develop encryption and smartcards to deal with "the wave of false information."

Pottengal Mukundan, Director of ICC Commercial Crime Services, briefed participants on the role of his organization's new cybercrime unit, which is building a database on criminal methods in cyberspace and will act as an interface between law enforcement and the private sector to meet the conference's objectives.

The third and fourth parts of the conference focused on international enforcement and on building company defences against cybercrime. Rainer Bhrer, head of the economic crime branch at Interpol, said that the user-friendliness of the Internet, the fact it is inexpensive to access and provides anonymity to the criminal, makes cybercrime almost irresistible to some. However legal solutions are slow and bureaucratic, which means the only way forward is through ISPs - and others responsible for web content - exercising self-regulation. This point-of-view was challenged by others at the conference who noted very real logistic and philosophical concerns in imposing such controls on the Internet: indeed, controls undermine the very purpose of the net.

On the other hand, lack of regulation could lead to major problems in e-commerce and other key areas of activity. Brian Jenkins anticipated that the burden of protecting against cybercrime will continue to fall on companies. Their first line of defence should be due diligence, although enhanced staff training should also be undertaken. John Bullard, managing director of Identrus, UK, said his company could issue a "digital certificate" to companies to minimize risks of fraud or misidentification. Such a certificate enables a "more efficient and reliable risk management system" encouraging business in cyber-space. Mel Proudfoot, executive director at Oracle, UK, reinforced the view that it is the company's responsibility to safeguard its information, and that a company's security policy was critical. The focus should not be on policing the whole net but on "safeguarding one's own part of itto ensure the Internet revolution is a revolution for good and not bad".

John Austin, a renowned expert on the Internet, reinforced the difficulties posed by the global nature of the net and problems of jurisdiction when attempting to prosecute cybercrime. Notin g that "extradition is expensive and not always successful", Mr Austin proposed that offences should always be prosecuted in the countries where they have taken place. However many countries have no laws at all against cybercrime which suggests that increasingly, cyber-criminals from such places will become more numerous.

Concluding, Maria Cattaui proposed that ICC - as the world business organization with thousands of members in some 140 countries - was well placed to gather an informal group in the field of law, law enforcement and business to meet on an informal basis to exchange information and discuss possible actions plans. She suggested the OECD and G8 countries should convene this group and use it as a benchmark of thought on the whole issue of cybercrime.

Mr Veness concluded that three key issues were identified as being of vital importance in the fight against cybercrime:
1. The sharing of information, with victims encouraged "to come forward".
2. Companies recognizing that the onus of prevention is very much on them.
3. Partnerships between agencies, between the public and private sector and internationally.

Mr Vatis concluded: "I am an optimist. We have made tremendous progress in preparing to deal with these problems. There is a long way to go but there are good signs. Co-operation between the private and public sector is not a luxury but a necessity". Prosecution is important but even more so is deterrence.

Brian Jenkins suggested the objective should be similar to that of the Internet. "We should be a network of like-minded people not bound by legislation, who create relationships and build knowledge to solve problems."

ICC Commercial Crime Services
Most popular ICC articles ICC Archives
Court of Arbitration Bookstore Policy Events Institute WCF ATA CCS
 
Copyright 2012 International Chamber of Commerce
Copyright, trademark and privacy notice
ICC Copyright

RSS

  
ICC Home E-mail Print Search